The Weakest Lock

What entry point to your electronic data is the least secure?
The Evernote announcement of forced password resets last week started an email discussion between a colleague and I about password security. I was impressed with the precautionary measures of Evernote and their transparency to admit they detected suspicious network activity. Although they found no evidence that password files were compromised they chose to communicate their findings and force the password resets of all their users. In a blog post and email Evernote states “As a precaution to protect your data, we have decided to implement a password reset.” That’s a small price to pay for a little insurance and peace of mind about my the information in my account. I gladly reset my password and then moved on with my other daily activities.

My email conversation was about password security and authentication measures to access data. Some time ago I started using one of the online password services called PassPack to help me manage passwords for all my accounts. I setup a randomly generated password for most sites, which means I can’t get access to these sites without first signing in to my password manager. Extra security does comes with extra overhead.

Are gestures a good idea for authentication

The email conversation on the topic captured a thought about the weakest entry point.

“Follow up on Bob’s random password use. I use LastPass and have considered having it randomly generate passwords for everything. That would create a complete dependency on LastPass, and I’d want to export / backup the list at times. But then what password guards LastPass? That one password would become the weakest lock.”

For me, PassPack requires both a username / password combination as well as an additional encryption key which is a full phrase/sentence. But conceptually the thought in the email is correct. A single authentication to get access to a group of credentials is the weakest lock or the most impactful lock. If someone were to gain access to my master list of authentication credentials then it really doesn’t matter that each of the sites I use have a different password.

The balance between security and usability.
Yancey Vickers from Red Clay Interactive wrote about the convenience of password manager programs and OpenID in her post One Password to Rule them All. She discusses some of the tradeoffs between added password security and usability. People have a different tolerance for how much security they use in their authentication process. I suspect that the level of overhead I take to sign-in to to a password manager to retrieve a password is not acceptable to most people.

What about mobile devices?
The email goes on to read:

“Then I think about our smart phones. That may be the weakest lock because if you get into my smart phone you can get into a lot of stuff to either gain access or socially engineer others to gain access. For the longest time that was just a 4 digit pin. Now it is a gesture.”

I hadn’t thought about this before the email. But my friend is right. The security requirements for my company issued phone are not the same as those on the company issued laptop. There is no multi-character password requirement, expiration date, or VPN program on the phone. A single pin, or gesture, allows access to corporate email. That does sound like the weakest lock.

Do mobile devices warrant tighter security? Would people use a mobile device if they had to key a password composed of capital, non-capital, numeric, and a special character? What if they had to authenticate with a VPN service after unlocking the phone? The standards seem to vary by device.

The Weakest Lock.
One password to rule them all, One password to find them,
One password to bring them all and in the mobile device bind them.